Harden Codex harness control surfaces (#77459)

* fix(scripts): find codex protocol source from worktrees * fix(test): keep codex harness docker caches writable * fix(test): relax live codex cache mount permissions * test(codex): add live docker harness debug output * fix(test): detect numeric ci env in codex docker harness * fix(codex): skip duplicate agent-command telemetry * fix(tooling): skip sparse-missing oxlint tsconfig * fix(tooling): route changed checks through testbox * fix(qa): keep coverage json source-clean * fix(test): preflight codex docker auth * fix(codex): validate bind option values * fix(codex): parse quoted command arguments * fix(codex): reject extra control args * fix(codex): use content for blank bound prompts * fix(codex): decode local image file urls * fix(codex): treat local media urls as images * fix(codex): keep windows media paths local * fix(codex): reject malformed diagnostics confirmations * fix(codex): reject malformed resume commands * fix(codex): reject malformed thread actions * fix(codex): reject malformed turn controls * fix(codex): reject malformed model controls * fix(codex): resolve empty user input prompts * fix(codex): enforce user input options * fix(codex): reject ambiguous computer-use actions * fix(codex): ignore stale bound turn notifications * test(gateway): close task registries in gateway harness * test(gateway): route cleanup through task seams * fix(codex): describe current permission approvals * fix(codex): disclose command approval amendments * fix(codex): preserve approval detail under truncation * fix(codex): propagate dynamic tool failures * test(codex): align dynamic tool block contract * fix(codex): reject extra read-only command operands * fix(codex): escape command readout fields * fix(codex): escape status probe errors * fix(codex): narrow formatted thread details * fix(codex): escape successful status summaries * fix(codex): escape bound control replies * fix(codex): escape user input prompts * fix(codex): escape control failure replies * fix(codex): escape approval prompt text * test(codex): narrow escaped reply assertions * test(codex): complete strict reply fixtures * test(codex): preserve account fixture literals * test(codex): align status probe fixtures * fix(codex): satisfy sanitizer regex lint * fix(codex): harden command readouts * fix(codex): harden bound image inputs * fix(codex): sanitize command failure replies * test(codex): complete rate limit fixture * test(tooling): isolate postinstall compile cache fixture * fix(codex): keep app-server event ownership explicit --------- Co-authored-by: pashpashpash <nik@vault77.ai>
2026-05-06 14:30:45 +00:00 · 2026-05-04 15:23:41 -07:00
parent b3e42bf327
commit ac3cd1a0ca
42 changed files with 2672 additions and 245 deletions
--- a/test/scripts/changed-lanes.test.ts
+++ b/test/scripts/changed-lanes.test.ts
@@ -8,8 +8,10 @@ import {
  isPackageScriptOnlyChange,
 } from "../../scripts/changed-lanes.mjs";
 import {
+  buildChangedCheckTestboxArgs,
  createChangedCheckChildEnv,
  createChangedCheckPlan,
+  shouldDelegateChangedCheckToTestbox,
 } from "../../scripts/check-changed.mjs";
 import { cleanupTempDirs, makeTempRepoRoot } from "../helpers/temp-repo.js";

@@ -215,6 +217,44 @@ describe("scripts/changed-lanes", () => {
    });
  });

+  it("delegates local Testbox-mode changed gates before running locally", () => {
+    expect(
+      shouldDelegateChangedCheckToTestbox(["--base", "origin/main"], {
+        OPENCLAW_TESTBOX: "1",
+        PATH: "/usr/bin",
+      }),
+    ).toBe(true);
+
+    expect(buildChangedCheckTestboxArgs(["--base", "origin/main", "--head", "HEAD"])).toEqual([
+      "testbox:run",
+      "--",
+      "OPENCLAW_TESTBOX=1",
+      "OPENCLAW_TESTBOX_REMOTE_RUN=1",
+      "pnpm",
+      "check:changed",
+      "--base",
+      "origin/main",
+      "--head",
+      "HEAD",
+    ]);
+  });
+
+  it("does not delegate dry-run, CI, or already-remote changed gates", () => {
+    expect(shouldDelegateChangedCheckToTestbox(["--dry-run"], { OPENCLAW_TESTBOX: "1" })).toBe(
+      false,
+    );
+    expect(
+      shouldDelegateChangedCheckToTestbox([], { OPENCLAW_TESTBOX: "1", GITHUB_ACTIONS: "true" }),
+    ).toBe(false);
+    expect(shouldDelegateChangedCheckToTestbox([], { OPENCLAW_TESTBOX: "1", CI: "1" })).toBe(false);
+    expect(
+      shouldDelegateChangedCheckToTestbox([], {
+        OPENCLAW_TESTBOX: "1",
+        OPENCLAW_TESTBOX_REMOTE_RUN: "1",
+      }),
+    ).toBe(false);
+  });
+
  it("runs changed-check lint lanes under the parent heavy-check lock", () => {
    const result = detectChangedLanes(["extensions/discord/src/index.ts"]);
    const plan = createChangedCheckPlan(result, { env: { PATH: "/usr/bin" } });